Overview

WordPress has released security updates to address a critical vulnerability (CVE-2024-25600) impacting their Bricks Builder Plug-in. Successful exploitation of the vulnerability may allow an attacker to perform remote code execution and gain control of the server.

Description

CVE-2024-25600 (CVSS score of 9.8) is due to an eval function call in the ‘prepare_query_vars_from_settings’ function, which could allow an unauthenticated user to exploit it to execute arbitrary PHP code.

Impact

Successful exploitation of this vulnerability may allow a remote attacker to take control of the affected system.

Solution

Users and administrators of affected product versions are advised to update to the latest version immediately.

References

• 1. https://www.csa.gov.sg/alerts-advisories/alerts/2024/al-2024-021
• 2. https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-rce-flaw-in-bricks-wordpress-site-builder/